CVE-2022-40238

HIGH8.8Insecure deserialization

Description

A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

CERT/CC / VINCE - The Vulnerability Information and Coordination Environment1.48.0 – 1.50.5

References

MISChttps://github.com/CERTCC/VINCE/issues?q=label%3Asecurity